DEFCON 20: Bypassing Endpoint Security for $20 or Less

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
you guys having a good day all right well hopefully hopefully you're in the right place you know one of the things that I do for a living I teach at a university and you know when you ever you go to school the first day of school the biggest question everyone's mind is did I go to the right classroom but thankfully we have nice big projectors so if you're not here to learn about endpoint security and USB impersonation go somewhere else unless you're probably all really just here anyway because the other tracks you really wanted to go to we're fall but that's okay I can learn with that all right so let's get started just a little bit of a roadmap of why this talk who is this handsome guy up here a a little bit of brief history USB how does USB work we'll talk about descriptors and end points in USB then we'll delve into mass storage devices how do they work and then we'll talk about the good stuff how do you bypass endpoint security anyway talk about some microcontrollers devices that you can build for 20 bucks or less as advertised and a little bit about some future directions that you might do all right so why this talk anyway well there are some organizations that are starting to use endpoint security programs in order to restrict portable media you know they're tired of everybody just bringing in their stuff and you know sucking things off of their networks you know in the movies what happens right someone is stolen all the secrets onto a flash drive and surprisingly nobody notices until after they've left the building do you ever notice that there's an alarm oh wait oh they just left darn it all right so a lot of software out there exists it's starting to come into market that does the equivalent of maxvill but for USB and if you know anything about Wi-Fi you know Mac filtering doesn't work so basically what do they do they have device they have software it says are you on my good list are you on my whitelist your vendor ID and Product ID and if you're not well guess what I'll show you how you can build something for cheap that makes your device look like it's on that list and why would you want to do that two reasons you want to inject something and you want to extract something so who is this handsome guy I teach security at a small private university in Iowa I like to hack Hardware I've been known to fly and build airplanes and do other fun stuff and the last couple years I've been known to play with USB devices all right so USB something it's been around for quite a while 96 they released the first spec and then they quickly updated it a couple years later back in the olden days they had 1.5 and 12 megabits peds 1.5 was called low speed and then 12 was called full speed and then in 2000 they came out with a new spec and they added high speed 480 megabits per second then they kind of took a break for a bit and they came out with USB 3 we're starting to see some USB 3 devices now that are really getting out there and they claim speeds of up to five gigabits per second it's kind of like my cable cable modem internet yeah up to 15 megabits per second why is it I always get three alright so how does this stuff work anyway well it's made to be very simple simple from a user standpoint so they have some nice idiot-proof hardware it's a pretty simple 4 wire protocol and it's set up so that you cannot screw it up unless you try right so you know if you're used to going old-school cereal you know that you can very easily hook something up wrong and you're like oh that's the wrong kind of rs-232 cable or oh it's got the 25 pin 9 e to the 9 and oh it's not a null modem cable and they got rid of all that hassle also made it hot pluggable and they use differential voltages which is good for noise and things like that on your lines and you can have some fairly long USB cables as much as 16 feet all right there's some software involved there's automatic configuration there's no jumpers or anything like that that you need to use there's a process called enumeration where it basically goes to the device and says tell me about yourself and within the standard we have some standard classes for our devices so we have human interface devices printers audio devices and then for today we want to talk about mass storage devices so how does this work well it's a 12 step process now of course I have some friends in the media and they tell me that all hackers are intimately familiar with 12 step programs all right so you know what happens you connect device then the hub detects it and the host which is usually a PC says hey it's informed there's new device and then it starts talking to it says what are your speeds what are your capabilities then it resets it gives it an address etc etc etc all right so it all comes down to descriptors and endpoints so an endpoint is really a virtual wire or a pipe if you will it's a unidirectional virtual pipe right and by the way the endpoints have a direction and the direction is measured relative to the host so sometimes things might seem a little backwards when you're dealing with USB you might think but wait I'm sending stuff out no you're sending it stuff in to the host fortunately a lot of the things like pac-man fragmentation handshaking and all that is done in hardware you can get specialized controller chips to do this and the address for each end point has a meaning the high bit tells you whether it's in or out and there are various types of endpoints control endpoints or something that every device has to have you can have bulk endpoints which we'll talk about a bit today interrupt endpoints and also ISO princess endpoints all right so control endpoints most devices use this to communicate with the host and every device has to have at least one we call it endpoint zero not endpoint one because we don't program a basic and the devices must respond to standard requests so these standard requests are things like hey get set your address give me descriptors change your power settings and what's your status anyway some of you may have gotten status input from your badge as anybody how many of you have hooked those up to USB yet really that's all okay just a little hint they'll talk to you tell you status okay all right so the devices can also respond to specific class requests for the class of device and optionally vendor requests so you can could in theory have a very special driver for your kind of mass storage device in practicality nobody does that because nobody wants to rewrite the drivers right all right control endpoints you got three stages in the control endpoint transfer you have a setup stage a let's talk maybe a datastage depending on the kind of communication and then a status all right so the status stage you just sent it zero link packet back that says ACK yeah we're all good interrupts I so synchronous don't really want to talk about them but just so you know what they are interrupts for infrequent Communications things like miles keyboard stuff like that nice of synchronous is good for streaming media etc all right bulk endpoints the good stuff Balkans points are used for mass storage devices they don't have any guarantees on latency but if their buses idle which it usually is you have some pretty good performance it however if there are other kinds of transports on your bus it gets superseded by anything else if you're doing full speed communications you know that whopping 12 megabits per second you're allowed to 864 byte packets and keep that number in mind for later it'll be relevant if you're doing high-speed transfers you can use 512 byte packets and this is used pretty extensively and that flash drives also external hard drives so the transics transactions consist of a token packet and then some data possibly and then you send it back at the end so what's a descriptor well the write the script or these scribes describes things they all have a standard format the first byte says this is how big this descriptor is in other words hardware on the other side this is when you should stop reading information right this is when we're done the second byte is what kind of descriptor was this thing anyway and the rest of it is the actual descriptor some common types of descriptors a device descriptor is what's gotten first and it tells you basic stuff like hey how can I talk to this device what's the power requirements does it need things like that configurations I'm sorry configuration tells me how much power how many interfaces does it have huh you know how do I talk to it etc Center interface then goes on to further describe divide the device and then we have endpoint descriptors which tell us about each of the end points and then string descriptors which just give us strength in unicode all right so device descriptor what does it send you first thing it's going to send you the length and then the descriptor type in this case it's descriptor type one USB and BCD it's going to send to zero zero and hex and then it's going to send you a couple of important pieces of information namely the class subclass and protocol now in the spec in the USB spec you can send zeros which mean oh well I'm not going to tell you yet I will tell you in a ladder lower down descriptor alright so I'm not going to tell you in the device descriptor maybe I'll tell you in the configuration descriptor or the interface descriptor right and you know other things like packet sizes and then then we have a manufacturer ID and a product ID and in some cases a serial number that has to be filled out so this configuration descriptor is gotten next and again it starts with the length and then at the type it's type - they're real creative right 1 2 etc and it gives you some information the last bit that it gives you is the maximum power now if you're going to make a little device say something kind of like this little preview that is going to fake another device obviously I have some electronics that are going to require a little bit of power of their own in addition to whatever my thumb drive takes some people might be tempted to just crank up that power don't do that alright problem with that is if you crank up the power and your port cannot provide that much power it won't enumerate your device alright so usually a hundred milliamps is pretty safe and it's probably enough anyway alright so don't don't get lazy and get all gung-ho and like yeah I think I need a lot of power you know or five watts of power here no don't don't do that all right just a little tip alright then we get an interface descriptor and again in the interface descriptor we can have the class subclass and protocol if we had zeros in the earlier descriptors then we eventually do have to say this is what kind of device this is and then we have to describe our end points on the case of a mass storage device as I'll say in a little bit you're going to have at least three end points the control end poit bulk and bulk out and each of those end points has an address and remember that the high-order bit tells you the direction and then it has an attribute bit field as well and the attribute bit field will tell you things like is this a bulk end point another thing you should keep in mind you know all this stuff you can get USB org etc a lot of these bits are reserved if they're not zero things tend to crash on you alright so just zero out stuff if it's not specified alright and then we have string descriptors string descriptors give you Unicode text again the first thing it's going to give you is the length then it's going to give you the type it's type three it's a string descriptor and then it's going to give you a Unicode string which for most of us here is pretty much ASCII text where every other character every other byte it's just zero there is a special case and the special case is string descriptor 0 string descriptor 0 says what languages do you speak please right and here is proof that the USA has fixed and improved the English language that we got from the bridge because even devices you get from the UK report speaking US English which is by the way hex code 409 is that formula 409 hmm cleaning up the language I don't know all right so now that we've learned a little bit about general devices and such without further delay let's talk a little bit about bulk only mass storage devices and how does this stuff work right so we're talking about flash drives primarily you know what kind of hardware do they have software file systems how do you talk to them things like that here's a picture I shamelessly pulled off of Wikipedia alright of a flash drive so you can see the different components you know you see things such as a big NAND flash chip a little controller chip etc by the way the little silver can you probably know this from looking at your badges for the conference here is a crystal oscillator but some of the newer drives by the way I have taken apart a few of these and some of the new ones they come in this big case you have this big case and you're looking at it and you're thinking ok it probably looks like this inside I mean after all they'll get this picture off on Wikipedia and it's never wrong so sometimes you will actually pull one of these apart and you'll find out that it's a big empty case and they have one integrated circuit it's really integrated it's the little spacer in the USB connector it's literally a chip that's got the four leads built onto it and you're like really I have this thing that was you know a couple inches long there was absolutely nothing inside of it it even had a little sliding case and everything but just FYI not so typically these thumb drives use NAND flash storage you get about 10,000 right cycles on these if you're writing to them in particular you'd only get anywhere close to that 480 megabits per second by the way again it's like the cable modem up to this but not even close you can only write to it in blocks typical block sizes are 512 bytes you can have other larger block sizes although honestly I have a whole stack of these sitting on my desk at home and I haven't seen a single one of them with these large blocks maybe I just don't buy the right drives but I guess I like the cheap ones maybe that's what it is but um and you can you can have some forensic fund with those as well so how does this work these flash drives present themselves as a scuzzy device so they really look like a scuzzy hard drive to your computer and then you have typically 512-byte sectors and they use the scuzzy control set most of these devices are pre formatted as one partition wait we don't call them partitions for flash drives to call them logical units and call them lund logical unit numbers by the way here's a little tip I have found that some versions of Windows do not see other than the first logical unit so if you want to hide something on a thumb drive put it on other than the first partition and don't use a Windows compatible file system all right that'd be another good way sometimes the reported sizes don't match the actual sizes uh you know you can use that to hide some information a few years ago there was a big batch of cheap Chinese thumb drives that were kind of went out in the market I see some head shaking did you buy one of those now okay but and what they did is they over advertised they said hey this is a four gig drive and it was really only two and they figured by the time you filled it up past the tube then it would just start generating errors and they'd be like well I'm long gone by then it's like buying something in the you know in the flea market oh sorry it wasn't a real Rolex but uh other things to keep in mind typically each 512 byte block needs 16 bytes for error correction so you might wonder why is the software why is the size not exactly what it's reported to be software usually implemented in a controller chip has to detect communications respond to requests check for errors manage power things like that all right what kind of file systems can you put on these things well it's a block device whatever you want now most of the time they come pre formatted as fat or fat32 for external hard drives I've seen those pre formatted as NTFS or for a thumb drive if you want to you can put the true flash file system the extreme flash file system the journaling flash file system are my personal favorite favorite yet another flash file system right it's kind of like Y Amal again if you want to maybe potentially hide some information from Windows users a higher order LUN with a non Windows ie Linux only file system can work really well alright so how do you talk to this flash drive anyway you have this bulk only mass storage protocol sometimes it's called BBB because it's all bulk and unlike many devices instead of using the control endpoints you use the bulk endpoints and there are three phrases there's a command block wrapper phase where you send a command block in a wrapper data transport depending on the command and then a command status wrapper where you say hey did this succeed or not alright so most of these drives use the reduce scuzzy instruction sets and you know if you have to send or receive data you use a bulk endpoint for that so what does this look like here's a little sea structure for a command block wrapper it starts with a signature the signature is really creative incidentally kind of a funny story I was reading a book on USB stuff a couple years ago and they just had in hex here is this code and I'm looking at it and they actually had it reversed and like wow that's just kind of obscure well if you look at it it types USB C for USB command it's not so obscure but and then there's a tag that associates you know the packet it's like a sequence number for tcp/ip and you know how long is it going to be and some flags etc and then finally a command block wrapper you have 16 bytes in this wrapper and real commands are going to use 6 to 16 of those so for example if I wanted to format a unit I'm going to have a command block it looks kind of like this the first byte is always going to be a command code again what am I supposed to do I have to know what the command is to know how much more I should really be looking at anyway what's the logical unit number etc etc another example if I want to do a read there are different formats for read and write this one is called read 10 and it's based on how along the command block is alright so what are some common scuzzy commands a format unit is it good one because you can in one atomic operation just format the unit and erase it inquiry how's it going mode select mode sense read read format capacity Rika pasty all those other things right command status wrapper comes at the end so you send a command block something happens maybe some data is transferred and at the end you send a command status wrapper and it looks kind of like this and again real creative USB s first status right by the way if you're cheap and you want to view all this lovely USB traffic and you have a Linux machine if you don't know this you can use USB mod so if you just do a mod probe USB Mon and you fire up Wireshark guess what all of a sudden you have a bunch of USB buses available for you to trace the stuff on comes in handy of course hardware USB tracer would be nicer but they're a little bit more expensive than free all right enough of this background stuff let's talk about the good stuff how do i bypass this security in any way so essentially what we're doing is impersonation or social engineering USB stop if you will all right so if we know what an authorized bid pit is we can use that fact to mount a device and then inject some code get some stuff off of our device also the device that I design optionally allows you to do some write blocking so we'll use some microcontrollers because they're fun and they're cheap so you know when you're going to use microcontroller you can look at the different possibility and say which one should I use well a br is pretty popular it's using the arduino family a lot of code out there unfortunately doesn't do USB very well even the u series chips that yeah you don't need the FTDI chip anymore but they don't do mass storage they will do hid stuff but they don't do the mass storage stuff same thing is true with the pic family a lot of people like them I like them they're fine but just not good for this purpose so though the winner is neither of those a couple years ago FTDI you know the people who make those little USB interface chips came up with a microcontroller of their own maybe they got tired of just making the interface chips it's a little faster 48 megahertz and unlike the arduino z' it has sort of a proper real time op operating system it's got threads and semaphores and cool stuff like that and more importantly USB classes so how does this work these thing column 2 chips allow for two full speed USB 2.0 interfaces which can be host or slave interfaces the chip also has a whopping 256 K a flash memory which if you don't do microcontrollers doesn't sound like a lot and if you do it does 16 K RAM and normal microcontroller kind of stuff they have several development modules available which is a good thing because they only provide their chips and surface mount technology so it can be a real pain in the butt for prototyping and things like that they also have there yet another Arduino clone they call the Vinko let's get the Arduino format sort of that extra row of pins that you can use so they come in the surface mount packages you know here's a basic diagram of the block diagram of the chip which I'm sure you guys can't read anyway it's in the slides it does have it a fairly decent IDE it's not eclipsed or anything like that but it gets the job done it has some debugging facilities and and such so it does it does work and in there they do have this nice ability where you can pull up the chip that you're going to target and you can point and click and say this pin is going to do this and this pin is going to do that right and again one other difference between the AVR series SE and these F TBI chips is that in the AVR is when you go from one sized chip to the next it changes the amount of RAM and flash we're here it's consistent so the only thing that changes if I go from a 32 pin to a 64 pin is the amount of i/o pins I have available to me so that that can be nice and useful you can develop something and then you can scale it up and down as required all right okay so what's the small package look like you know if I just want something tiny I can get something I'm sure you guys can't see this so well but looks about like this all right so it's a little 32 pin development board and I only have four pins to solder I can sacrifice an old USB printer cable solder it on there and the disclaimer only four pins of solder if you're not fond of things like LCD displays and blinky lights and stuff like that okay but so if you want to add that stuff then ok maybe did have to solder a little bit more if you're really not into soldering you could use one of those Arduino clones like this Vinko board shown here now you don't have to solder on a cable because it's got a hose and slave port built into it again same disclaimer alright so how does this microcontroller based impersonator work anyway what it does is it allows you to insert your your flash drive and it enumerates it and then when the PC when you plug this device in the PC it says oh I see there's a new device let me enumerate it and it tries to get an authorized bid bid combination right if it's not successful it tries the next one alright so there are two basic modes of operation and the device you can either say oh well I know what the vid pit is and I'll just set it or you can try automatic mode so an automatic mode I have 500 of the most common vid pit combinations and it will just scan through those so high level design it's a multi-threaded app you know get apps to say hey let's talk to this thumb drive another thread that talks to your computer some management threads and things like that also there's a timer thread and what's the what the timer thread does is if you're in the automatic mode whenever the PC asks for a device descriptor it says oh someone's trying to talk to me and it starts a timer if they stop talking to you after a second and they don't ask for additional descriptors it says Oh someone's blocking I'll go to the next one and that's how that works and there's also a thread for reading the buttons they come in all right so main thread sits round waits for packets to come in if it's a whitelisted command it forwards it on it forwards on things like command block wrappers performs the data transport phase does a little man-in-the-middle action and does the CSW passing all right if you're right blocking if there are non-white listed commands it just says hey yeah I got your command and then it does any sort of data transport phase and it says you're good it worked all right and now initially an early design of this I actually returned a unsupported command status if you try to do things like format my drive or write to it and what I found is strangely enough Windows does not handle it correctly Wow so you tell Windows unsupported command what do you think Windows does tries again and again and again and it never gives up right it's really obnoxious so alright so the main loop you know - sits around waiting for stuff and then I have a bunch of handlers so this is just a quick example for the inquiry command it gets a command block wrapper allocates a little space for words the device gets a response sends it back and waits for a command status wrapper sends it back you know it's not rocket science here timer thread as I said will get started and that will wait for a additional queries for descriptors and it will get reset if the device actually got fully enumerated by the way I don't currently have this set up this way but you could start to brute force the vid pit if you got to the end of the list and hey the source codes available if you want to do it but other complications Windows and Linux do treat these devices a little bit differently one thing I found is that Linux sucks in a whole lot of information at the start whereas Windows sucks in a lot less it's one of the few cases where Windows sucks less but all right so what did I do for my testing primarily I used you dev rules if you're not familiar with you dev rules on Linux they're a really powerful tool and they're a little bit addictive they're kind of fun to play with so what I did was set up some you dev rules to say here's my whitelist of mass storage devices and if it's not on the list you can't mount it alright of my open source solution is a better value it's equally ineffective but it a better price so why waste thousands of dollars when you can be just as insecure for free it's the way okay all right enough it's demo time some of the gamers might get the reference there well Evan that was just for you know so yeah here's a one version of the device I realize you can't see it so well I hold it up here but this is the slightly bigger device as far as the board on the right it's just a programming board and then I have an LCD display and I have the actual development board this in this case there's a thumb drive plugged into it the pot you see there is just for adjusting the LCD and then I have a red light and a green light for the right blocking status all right so it comes on initially right blocking so the green light should be on the leftmost button can be used to toggle that status and then the other buttons are used in order to set the bid in the pit so by the way is Javed Javed are you here somewhere okay this this video is dedicated to Javed Malik Javed made a comment recently how there seem to be a lot of videos out there on the internet for hacking and security that are nothing but people typing and clicking with music so I dedicate this actual silent video with no music to job it if it plays if it doesn't play I dedicate to Microsoft they work great in the speaker room earlier ID so handsome oh wait it was already there please stand by if it helps you you can imagine old-time music the depth of time we get lucky today that's very easy of course if they have us BW can look in the registry to make the demo quicker I did so here you see the welcome screen and then it gives you an opportunity to set it or it goes into automatic and notice that the green lights on and I did time work by the way it didn't instantly mount my driving I should have said insert Monty Python music here Oh I get lucky this guy had a payroll file on his desktop all right just two just a little food for thought how could we go where could we go from here well we could possibly speed it up again if you look in the registry and try to find an authorized bid pit that's more previously loaded by the way if you're not familiar with us BW it's a nice little tool it tells you all kinds of in useful information on previously attached USB devices not just mass storage we could use the the larger device here to divine the vid pit and then possibly pre-program a bunch of smaller devices if we're going to like in mass go and attempt to do something maybe say an organization we knew what was authorized like everything else you can thwart this device it does only operate at full speed if you order to detect that you could possibly say oh I I know that somebody's doing something bad and you could use proprietary drivers but you don't really see a lot of that out there it's kind of even if you did that's security through obscurity which we all knows most security at all one other thing remember who remembers what's the maximum packet size for a full speed USB endpoint 64 bytes what is the default block size 512 so what happens is it has to fragment and unpregnant all those blocks so that does give you a little bit of a performance penalty unfortunately but I don't know how you could do anything better other than find something that supports full speed right just a couple references these are in the conference DVD you can go to my github in a couple days since I kind of forgot to update it before I came out here or you can feel free to email me I'm also available on Twitter just at peepholes draw it's not real creative but people can find me so thanks guys
Info
Channel: Christiaan008
Views: 256,533
Rating: 4.7299576 out of 5
Keywords: DEFCON, security conference
Id: qBCelkEs8bc
Channel Id: undefined
Length: 43min 53sec (2633 seconds)
Published: Wed Nov 21 2012
Related Videos
DEF CON 24 - Universal Serial aBUSe: Remote Physical Access Attacks
HackersOnBoard
16K
DEFCON 14: The Making of atlas: Kiddie to Hacker in 5 Sleepless Nights
Christiaan008
232K
Soldering Crash Course: Basic Techniques, Tips and Advice!
wermy
535K
Nina Kollars - Confessions of an Nespresso Money Mule - DEF CON 27 Conference
DEFCONConference
514K
Steve Jobs Insult Response - Highest Quality
Jonathan Field
10M
Defcon 21 - All Your RFz Are Belong to Me - Hacking the Wireless World with Software Defined Radio
HackersOnBoard
280K
Network Security 101: Full Workshop
SecureSet
1.5M
But how does bitcoin actually work?
3Blue1Brown
10M
DEFCON 19: Introduction to Tamper Evident Devices
Christiaan008
340K
Don't Talk to the Police
Regent University School of Law
14M
Defcon 21 - The Secret Life of SIM Cards
HackersOnBoard
623K
DEFCON 16: Advanced Physical Attacks: Going Beyond Social Engineering and Dumpster Diving
Christiaan008
64K
DEFCON 17: Cracking 400,000 Passwords, or How to Explain to Your Roommate why Power Bill is a High
Christiaan008
288K
DEFCON 19: The Art of Trolling (w speaker)
Christiaan008
503K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.